Information and software program companies agency Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the US Federal Commerce Fee (FTC) in a damning autopsy of the enterprise’s February 2020 knowledge breach.
In line with the FTC, Blackbaud’s poor safety breach in February 2020 led to a hacker accessing the corporate’s buyer databases and stealing private info of hundreds of thousands of shoppers in the US, Canada, the UK, and the Netherlands.
Blackbaud’s affected prospects are primarily non-profits, similar to healthcare agencies, charities, and educational organizations.
Information stolen by the hacker included unencrypted private info, similar to shoppers’ and donors’ full names, ages, dates of delivery, social safety numbers, addresses, cellphone numbers, e mail addresses, monetary particulars (checking account info, estimated wealth, and recognized property), medical and medical insurance info, gender, non secular beliefs, marital standing, partner names, spouses’ donation historical past, employment particulars, salaries, schooling, and account credentials.
The safety failure was exacerbated by Blackbaud not implementing its personal knowledge retention insurance policies, inflicting buyer knowledge to be saved for years longer than essential. Blackbaud additionally retained knowledge of former and potential prospects for years longer than required.
All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to reveal the stolen knowledge. The corporate paid 24 Bitcoin (value US $235,000) to the hacker, however was not in a position to confirm if the deleted the information.
The poor knowledge retention practices weren’t the FTC’s solely complaints about Blackbaud’s dealing with of the incident.
The FTC criticized the corporate for not notifying prospects of the breach for 2 months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”
In line with Blackbaud’s buyer breach notification of July 16, 2020, “The cybercriminal didn’t entry bank card info, checking account info, or social safety numbers… No motion is required in your finish as a result of no private details about your constituents was accessed.”
Nevertheless, in line with the FTC, Blackbaud knew by the top of July that the attacker had taken shoppers’ checking account numbers and social safety numbers, however did not disclose this to its shoppers till October 2020.
The FTC’s verdict was damning:
“Blackbaud’s misleading statements, mixed with the months’ lengthy delay in offering correct discover concerning the breach, led many shoppers to consider that notification to their shoppers was pointless. Attributable to this delay in discover, shoppers suffered further hurt as a result of they’d no method to know that they wanted to take any mitigating steps to guard themselves from identification theft.”
The FTC’s full report makes surprising studying, revealing that Blackbaud “failed to observe makes an attempt by hackers to breach its networks, phase knowledge to forestall hackers from simply accessing its networks and databases, guarantee knowledge that’s not wanted is deleted, adequately implement multifactor authentication, and check, overview and assess its safety controls” and that it “allowed workers to make use of default, weak, or similar passwords for his or her accounts.”
As a part of a settlement with the FTC, Blackbaud has been ordered to harden its safety and delete pointless buyer knowledge.
“Blackbaud’s shoddy safety and knowledge retention practices allowed a hacker to acquire delicate private knowledge about hundreds of thousands of shoppers,” stated Samuel Levine, Director of the FTC’s Bureau of Shopper Safety. “Firms have a accountability to safe knowledge they keep and to delete knowledge they not want.”
Final yr, Blackbaud agreed to pay a $3 million charge from the SEC for deceptive disclosures about its ransomware assault, omitting vital info in a quarterly report, and “misleadingly characterised” the chance as “hypothetical.”
Blackbaud agreed to pay $49.5 million to settle claims introduced by the legal professional generals of 49 US states and Washington DC.
Blackbaud’s failure to safe its methods and entrusted knowledge has been very pricey for the corporate (fined, status broken), non-profit shoppers, and the general public vulnerable to identification theft via no fault of their very own.
